RE: Sample Risk Assessment Report

From: Cure, Samuel J (scure_at_kpmg.com)
Date: 01/14/05

  • Next message: James Williams: "RE: Sample Risk Assessment Report" 
    To: "'Tyler Markowsky'" <tyler.markowsky@seccuris.com>, "'Mambo'" <mamboz@gmail.com>, pen-test@securityfocus.com
Date: Fri, 14 Jan 2005 12:37:33 -0500

    This raises a question. Is this a top down approach or bottom up approach
    based on the OSI model with business layer being on top? The challenge with
    mapping assets to vulnerabilities using a bottom up approach is the ability
    to identify business risk associated with findings. If a bottom up approach
    is being used, then the technical assessments are performed first.
    Therefore, trying to identify the assets or business risk after the
    technical assessment is performed increases the chance of missing something
    with business impact.

    As Tyler mentioned, target audience is key and I concur with the report
    content he listed.

    Others? Thoughts?

    -scure

    -----Original Message-----
    From: Tyler Markowsky [mailto:tyler.markowsky@seccuris.com]
    Sent: Thursday, January 13, 2005 6:10 PM
    To: 'Mambo'; pen-test@securityfocus.com
    Subject: RE: Sample Risk Assessment Report

    Hello Mambo-

    Who will be the audience of this report? Board-level? Executive management?
    IT Security professionals?

    Depending on who will be reading it, try to apply your knowledge of the
    organizations assets and critical business functions to the discovered
    vulnerabilities. This will provide value to not only those who are highly
    technical, but also those who are not.

    Best,

    Tyler Markowsky
    Information Risk Analyst
    Seccuris

    -----Original Message-----
    From: Mambo [mailto:mamboz@gmail.com]
    Sent: Thursday, January 13, 2005 5:04 AM
    To: pen-test@securityfocus.com
    Subject: Sample Risk Assessment Report

    Hi All,

            Any idea about any sample Risk Assessment Report's available
    on the net. Was searching but got very few which are not worth
    mentioning.

    Cheers
    Mambo

    """Security-- Someone gave birth...But i Own it..now..."""

    *****************************************************************************
    The information in this email is confidential and may be legally privileged.
    It is intended solely for the addressee. Access to this email by anyone else
    is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution
    or any action taken or omitted to be taken in reliance on it, is prohibited
    and may be unlawful. When addressed to our clients any opinions or advice
    contained in this email are subject to the terms and conditions expressed in
    the governing KPMG client engagement letter.
    *****************************************************************************

  • Next message: James Williams: "RE: Sample Risk Assessment Report"

    Relevant Pages

    • Re: OT: Question about highway signs in the country
      ... They understand how their long-term bottom line would benefit. ... even among business leaders there is too much short-term thinking. ... measurements -- which would never have happened had the U.S. gone all-metric. ... so it's not really a surprise either that highway ...
      (rec.gambling.poker)
    • Re: Absolute must read!
      ... The business model that business and corporations use now seems to be based entirely on the greed factor. ... That is, simply to meet the quarterly projection of the bottom line at all costs, whether it involves layoffs, selling off divisions or patents or whatever the company has that is of value, in order to keep the bottom line static. ... As an example of a magazine that is written with some obvious morality and responsibility to the reader, no cowtowing to the advertiser at all due to the magazines policy of only allowing ads for products that will help a boat owner repair their boat, much like CW was in the start, I present "Good Old Boat" magazine. ...
      (rec.boats.cruising)
    • Re: Volume 11 - Ordered
      ... _bottom_ of it, so that it's only small enough to get the business end of the ... cord through it, and also so that the mail carrier doesn't even _see_ it, and ... happened once or twice this year I don't really think it qualifies as ...
      (rec.arts.sf.tv.babylon5.moderated)
    • Re: you guys need to read this article
      ... Every company is killing themselves for your business in the cheapo ... Bottom line is that you can get ANYTHING ... If you dont shop at GC, its more than likely you dont live near ...
      (alt.guitar)